Requirements of sending deferred media information to the media mailbox of the receiving party are proposed in the media security technology of the IP Multimedia Subsystem (IMS). This situation generally happens when the sending party (user A) sends the media information to the receiving party (user B), and user B is in an offline state (There are many causes which can result in the offline of user B, such as user B is shut down, user B does not log in, user B is out of the service area, etc). In this situation, because of user B's unavailability, the key negotiation mechanism which requires that both parties are online can not be used, and a Key Management Server (KMS) as a trusted third party must be introduced to realize that the communicating parties can obtain the shared media key through an asynchronous mode.
At present, as for the secure sending of the deferred media information, there are two solutions in the technical documents related to the media security of the IP Multimedia Subsystem (IMS): one is based on a Ticket-based System (TBS), and the other is based on the Otway Rees protocol (it is an authentication and code exchange protocol). However, both of the two prior arts have defects, which will be described respectively hereinafter in detail.
FIG. 1 is a schematic diagram of a framework of the solutions to the media plane security in the IMS based on the TBS and the Otway Rees protocol in the prior art, wherein
user A (UE-A) and user B (UE-B) are the sending party and the receiving party of the media information respectively;
the Key Management Server (KMS) is a trusted third party performing the key management and distribution function;
P-CSCF (Proxy-Calling Session Control Function) and S-CSCF (Service-Calling Session Control Function) are network elements of the IMS; and
functions of other network elements in FIG. 1 are not described in detail herein. Please refer to other related documents.
FIG. 2 is a flowchart of a method for establishing a media channel between the calling party (user A) and the called party (user B) based on the framework shown in FIG. 1. As shown in FIG. 2, the following steps need to be performed to establish the secure media channel between user A and user B, and to send the media information through the media channel.
Step 201, user A and user B respectively establish a secured connection with the KMS in a Generic Bootstrapping Architecture (GBA) mode.
In the case that GBA cannot be used, user A and user B can establish a secured connection with the KMS based on other authentication methods, such as pre-established security association, etc.
Step 202, user A sends a request for applying a media master key and a ticket to the KMS.
Step 203, the KMS generates the media master key and the ticket, and returns the media master key and the ticket to user A.
Step 204, user A sends an INVITE message which comprises the ticket to user B through the IMS network.
Step 205, after receiving the INVITE message which comprises the ticket, the IMS network sends the INVITE message to user B,
wherein the authorized elements in the IMS network can send the ticket to the KMS to obtain the media master key.
Step 206, after receiving the INVITE message, user B sends the ticket comprised in the INVITE message to the KMS to obtain the media master key.
Step 207, the KMS verifies the identity of user B. After the verification is approved, the KMS takes out the media master key and sends the media master key to user B.
Step 208, user B successfully accepts the calling request from user A.
The above mentioned is the process when the called party (user B) is in the online state. When user B is offline, which means that it is under the circumstance of sending deferred media information, no detailed implementation method is given in any relevant documents. Only a schematic diagram of a framework of a deferred media information security solution in the IMS as shown in FIG. 3 and a brief introduction are provided in the prior arts. The brief introduction is as follows.
User A first sends the ticket to the mailbox server of user B through INVITE message, and then user A sends the media information to the mailbox server of user B. When user B logs in, user B obtains the ticket from the mailbox server, and then sends the ticket to the KMS. Next, the KMS sends the media master key to user B.
To sum up, the sending of deferred media information can be realized through the TBS, while the implementation method is relatively complicated, that is no matter whether user B logs in, user A and user B both need to interact with the KMS.
Compared with the solution based on the TBS, the solution based on the Otway Rees protocol of the media security in the IMS uses similar network framework and reduces the signaling interaction with the KMS. But, because the media master key may be repeatedly used in the solution based on the Otway Rees protocol, the KMS needs to store the generated media master key, which will cause a problem of the statefulness of the KMS (namely, the problem that the KMS can not afford the excessive storage requirement). Other defect of the solution based on the Otway Rees protocol is that if the shared key between the sending party and the KMS is expired, after logs in the receiving party obtains the information encrypted with the expired key and forwards this information to the KMS, then the KMS can not decrypt the encrypted information. Therefore, the KMS can not regenerates the media master key according to the information in this situation. As a result the receiving party can not obtain the media master key, and can not decrypt the encrypted media information to obtain the media information.